This site uses cookies to store information on your computer, to improve your experience. One of the cookies this site uses is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about the cookies this site uses and how to delete them, please see the privacy notice.

Fair processing notice

This page provides information about why the NHS records information about you and how it is used; with whom we may share information; your right to see your health records; and how we keep your records confidential.

Introduction

Our CCG holds some information about you. This document outlines:

how that information is used

who we may share that information with

how we keep it secure.

What we do

Our CCG is responsible for planning, buying and monitoring (also known as commissioning) health services from healthcare providers such as hospitals and GP practices for our local population to ensure the highest quality of healthcare. We also have a performance monitoring role of these services, which includes responding to any concerns from our patients on services offered.

What kind of information we use?

We use the following types of information/data:

identifiable - containing details that identify individuals

pseudonymised - about individuals but with identifying details (such as name or NHS number) replaced with a unique code

anonymised - about individuals but with identifying details removed

aggregated - anonymised information grouped together so that it doesn't identify individuals

What do we use anoymised data for?

We use anonymised data to plan health care services. Specifically we use it to:

check the quality and efficiency of the health services we commission

prepare performance reports on the services we commission

work out what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients in the future

review the care being provided to make sure it is of the highest standard

What do we use your sensitive and personal information for

There are some limited exceptions where we may hold and use sensitive personal information about you. For example the CCG has been required by law to perform certain services that involve the processing of sensitive personal information.

The areas where we regularly use sensitive personal information include:

a process where you or your GP can request special treatments that is not routinely funded by the NHS, which are known asIndividual Funding Requests

where there is a provision permitting the use of sensitive personal information under specific conditions, for example to:

understand the local population needs and plan for future requirements, which is known as “Risk Stratification for commissioning".

ensure that the CCG is billed accurately for the treatment of its patients, which is known as “invoice validation”.

monitor access to services, waiting times and particular aspects of care, for which the CCG is considered to be an “accredited safe haven”.

Sensitive personal information may also be used in the following cases:

the information is necessary for your direct healthcare

CCGs responding to patients, carers or Member of Parliament communication

you have freely given your informed agreement (consent) for us to use your information for a specific purpose

there is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime

there is a legal requirement that will allow us to use or provide information (e.g. a formal court order).

Do you share my information with other organisations?

We commission a number of organisations (both within and outside the NHS) to provide healthcare services to you. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how health conditions spread across our local area compared against other areas.

The law provides some NHS bodies, particularly the Health and Social Care Information Centre (NHS Digital), ways of collecting and using patient data that cannot identify a person to help Commissioners to design and procure the combination of services that best suit the population they serve.

Data sets accessed by the CCG

GP Data and Secondary Uses Service (SUS) data (in-patient, out-patient and A&E) may be de-identified and linked so that it can be used to improve healthcare and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

When analysing current health services and proposals for developing future services it is sometimes necessary for the CCG to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient and A&E). In some cases there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc, as well as mental health and community-based services such as Improving Access to Psychological Therapies (IAPT), district nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity as the CCG does not have any access to patient identifiable data. From October 2016, all data will be de-identified at source and given a new ID allowing records to be linked without identifying the patient. Records can then be linked for the purpose of improving and developing the delivery of health care and monitoring provider performance.

The following list describes the external data processors we work with and the linked datasets they hold :

NEL CSU (Previously South East CSU)

De-identification of existing datasets is currently underway, with a target to implement de-identification at source by mid-October. Creation of a non-identifiable unique ID is underway for Acute patient care records only.

Kent County Council – Kent Integrated Dataset

A&E Attendance

Acute Admitted Patient Care Finished Consultant Episode

Acute Admitted Patient Care Occupied Bed Days

Acute Admitted Patient Care Provider Spell

Acute Outpatient Appointment

KCHFT Community Contact

KCHFT Inpatient Contact

Mental Health Contact

Out of Hours

Hospice at Home

GP Consultation

GP Event

GP Prescription

Social Care

We may also contract with other organisations to process data. These organisations are known as Data Processors. We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

Currently, the external data processors we work with include (amongst others):

NEL CSU and

Kent County Council

Optum Commissioning Support Services

Invoice Validation

Invoice validation is undertaken to ensure that the CCG is paying for treatments relating to its patients only. The dedicated NECS team receives patient level information direct from the hospital providers and undertakes a number of checks to ensure that the invoice is valid and that it should be paid for by the CCG. The CCG does not receive or see any patient level information relating to these invoices.

Optum CSS receives identifiable data into their Controlled Environment for Finance (CEfF) to securely support the invoice validation process. As Data Processor for the CCG, Optum CSS is allowed to process Personal Confidential Data (PCD) which is required for invoice validation purposes. This approval is subject to a set of conditions. The legal basis for this processing is under the Health Service (Control of Patient Information) Regulations 2002 (a) also known as ‘section 251 support’) and details of Confidentiality Advisory Group (CAG) approval CAG 7-07(a-c)/2013 are provided at https://www.hra.nhs.uk/planning-and-improving-research/application-summaries/confidentiality-advisory-group-registers/

Optum CSS receives pseudonomised information from AGEM CSU and undertake a number of checks to ensure invoices are valid and should be paid for by the CCG. The CCG does no receive or see any patient level information relating to these invoices.

Risk Stratification

Where we analyse population data to provide lists of patients to GPs where a person may benefit from a targeted healthcare intervention: we call this Risk Stratification.

Risk Stratification is based on research that shows a person that has a recognised history and characteristics may avoid an undesirable health outcome if the signs are recognised and a particular action is taken early enough.

Your GP Surgery uses the services of a health partner, Optum CSS, to identify those most in need of preventative or improved care. This contract is arranged by us.

Neither we nor Optum CSS will at any time have access to your personal or confidential data. They act on behalf of your GP to organise this service with appropriate contractual and security measures.

Your personal and confidential data is extracted from your GP computer system and will be processed without any staff being able to view the data. Typically they will process your data using indicators such as your age, gender, NHS number and codes for your medical health to identify those who will benefit from clinical intervention.

Only your GP is able to view the outcome and will make the decision on whether you should be contacted with the offer of any extra clinical assistance.

We have implemented strict security controls to protect your confidentiality and recommend this as a secure and beneficial service to you. At all times, your GP remains accountable for how your data is processed. If you do not wish your information to be used in this way, you can inform your GP that you would like to ‘opt out’ using either Type 1 or Type 2 Opt Outs, see below for more detail on the Opt Outs. Your GP will mark your record with either Type 1 or Type 2 Opt Out so it is not sent to Optum for risk stratification purposes

The lawful basis to use this information for risk stratification has been allowed by s251 NHS Act 2006 and is processed by Optum or other approved providers only. Further information on risk stratification is provided on the NHS England website at the following page (Risk Stratification) and on the Confidentiality Advisory Group (CAG) at CAG

Patient right to object to processing/opt-out

There are choices you can make about how your information is used, and you can choose to opt out of your information being shared or used for any purpose beyond providing your care. Please note that not choosing to share your information may have an impact on your care and by sharing your information will improve NHS services and the experience of treatment and care for our patients.

If you do not want your information to be used for any purpose beyond providing your care you can choose to opt-out. There are two types of opt-out. You can withdraw either opt-out at any time by informing your GP practice.

Type 1 opt-outs

If you do not want information that identifies you to be shared outside your GP practice, for purposes beyond your direct care, you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Type 2 opt-outs

NHS Digital (HSCIC) collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your personal confidential information to be shared outside of NHS Digital (HSCIC), for purposes other than for your direct care, you can register a type 2 opt-out with your GP practice.

A direction from Secretary of State sets out the Department of Health policy as to how type 2 opt-outs must be applied and instructs NHS Digital (HSCIC) to apply type 2 opt-outs from 29 April 2016.

When NHS Digital (HSCIS) has collected information about your type 2 opt-out from your GP practice they use that to create a record of all current type 2 opt-outs. Then NHS Digital use that record to check against any set of data that is to be made available by NHS Digital (HSCIC) to another organisation and remove all of your personal confidential information if it is in that data set, before that data are made available.

The direction sets out the scope of when your type 2 opt-out does not apply, such as when there is a legal requirement to release information, or where you have given your consent to a specific release of your information.

There are also some limited circumstances, which are set out in the direction, when we don't apply your type 2 opt-out to information made available. These are cases where:

The Secretary of State for health has identified the information flow is very important.

There are complex technical barriers that make it very difficult to apply opt-outs.

For more information on how we collect and use opt-out information see Applying Type 2 Opt Outs

For more information about care records and how to access them see NHS Choices. For details about how public bodies must make information available, see the model publication scheme published by the Information Commissioner's Office.

NHS Digital takes the responsibility for looking after care information very seriously. Please follow links on how we look after information for more detailed documentation.

What are your rights?

Where information from which you can be identified is held, you have the right to ask to:

ask us to stop processing information about you where we are not required to do so by law – although we will first need to explain how this may affect the care you receive

What safeguards are in place to ensure data that identifies me is secure?

We only use information that may identify you in accordance with the Data Protection Act 1998. The Data Protection Act requires us to process personal data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.

Within the health sector, we also have to follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare.

The NHS Digital Code of Practice on Confidential Information applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All CCG staff are expected to make sure information is kept confidential and receive annual training on how to do this. This is monitored by the CCG and can be enforced through disciplinary procedures.

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).

We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

The CCG has an Executive Director responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian.

The CCG is registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes. A copy of the registration is available through the ICO website (search by CCG name).

How long do you hold confidential information for?

Gaining access to the data we hold about you

The CCG does not directly provide health care services and therefore does not hold personal healthcare records. If you wish to have sight of, or obtain copies of your of your own personal health care records you will need to apply to your GP Practice, the hospital or NHS Organisation which provided your health care.

Everybody has the right to see, or have a copy, of data we hold that can identify you, with some exceptions. You do not need to give a reason to see your data, but you may be charged a fee.

If you want to access your data you must make the request in writing. Under special circumstances, some information may be withheld.

If you wish to have a copy of the information we hold about you, please note that there may be a charge for this (of up to £50). Please contact: SKCCCG.IG@nhs.net

What is the right to know?

The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector.

What sort of information can I request?

In theory, you can request any information that South Kent CoastCCG holds, that does not fall under an exemption. You may not ask for information that is covered by the Data Protection Act.

Complaints or questions

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. nelcsu.secomplaints@nhs.net